50 Million Waze App Users Vulnerable to Stalking by Hackers

A newly detected vulnerability in the popular navigation application, Waze app, can allow hackers to track in real-time the movements of all 50 million users.

Waze is a "community-based traffic and navigation app" available for Android, iPhone, and Windows Phone. Google acquired it in 2013 for an estimated $1.1 billion.

How Waze App Works?

Waze is a community-based application that enables drivers to share traffic and road information with one another, including alerts on police stops, accidents, constructions, hazards, and traffic jams. Waze then analyzes that data for local users and plots out an optimal path for their daily commutes that will consume the least amount of time and fuel.

The Waze App Exploit

Researchers at the University of California-Santa Barbara recently discovered a vulnerability in the Waze application that allowed them to create thousands of “ghost drivers” that can monitor the drivers around them—an exploit that could be used to track Waze users in real-time.

“It’s such a massive privacy problem,” said Ben Zhao, professor of computer science at UC-Santa Barbara, who led the research team.

Here’s how the exploit works. In security terms, this exploit is called a man-in-the-middle attack. Waze's servers communicate with phones using an SSL encryption (thankfully!). The SSL encryption is a security precaution so that Waze's servers really communicate with a Waze app on someone's phones.

Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze’s backend app servers. The team then wrote a program that issues commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of “ghost cars”—cars that could cause a fake traffic jam or because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them.

Using a HTTPS proxy as man-in-middle to intercept traffic between Waze client and server

In a test of the discovery, Zhao and his graduate students tried the hack on a member of their team (with his permission).

A graphical view of the tracking result in LA downtown.

The story was first reported on Fusion and the reporter allowed these experiments to be done on her, and the results were scary. Here's what she wrote:

Last week, I tested the Waze vulnerability myself, to see how successfully the UC-Santa Barbara team could track me over a three-day period. I told them I’d be in Las Vegas and San Francisco, and where I was staying—the kind of information a snoopy stalker might know about someone he or she wanted to track. Then, their ghost army tried to keep tabs on where I went.

The researchers caught my movements on three occasions, including when I took a taxi to downtown Las Vegas for dinner:

waze app hack

And they caught me commuting to work on the bus in San Francisco. (Though they lost me when I went underground to take the subway.)

waze app hack map

In this case, tracking was possible only while the Waze app was running in the foreground on the phone. Previously, this hack could track someone even if Waze was just running in the background of the phone. Zhao informed the security team at Google about the problem and made a version of the paper about their findings public last year. An update to the app in January of this year prevents it from broadcasting your location when the app is running in the background, an update that Waze described as an energy-saving feature.

The Danger

Well, many people, including the company, claim that this is not something to worry about, and it is not something that someone will do to stalk you. Believe me, when I say this, at Appknox, every time we try to do a responsible disclosure this is exactly what companies claim. The thing is it might be right to some extent but security is not to be implemented because there is a higher possibility of an exploit. A security measure should be implemented even if there is the slightest possibility of an exploit. 

So, what could happen here with this exploit of the Waze app? Theoretically, a hacker could use this technique to go into the Waze system and download the activity of all the drivers using it. If they made the data public like the Ashley Madison hackers did, the public would suddenly have the opportunity to follow the movements of the over 50 million people who use Waze. If you know where someone lives, you would have a good idea of where to start tracking them.

Let's take a few steps back and think if this is also possible with other applications. Well, of course it is. So, imagine if this would be a dating app. One could create fake bot users near you and grab your details and maybe even reveal these publicly. The damage can be a lot. It's just that we always think this will not happen to us.

waze app hack

Waze Official Announcement

After the story came out, Waze issued a response on its blog:

The reporter in the article gave her location and username to the research team which greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders.

That is true. But, like I said before, security measures should be put in place even in the remotest possibility of an exploit. Moreover, usernames and locations aren't really very hard to get, especially on community-based platforms.

We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities. None of these activities have occurred in real-time and in real-world environments, without knowing participants.

One thing that is good here is that Waze took action on this immediately. And if this really addresses the concern then that is good news for all its users.

On this, Zhao told that it “makes it more difficult (but not impossible) for the common attacker.” He said his team could try to reverse engineer the API encoding, but said that, at this point, they are “fairly happy with the outcome and ready to move on.”

If you want to know if your mobile application has the same issue as Waze did or if you want to be proactive towards security, Appknox is here to help.


                                                    Get 14 days free trial

Published on May 3, 2016
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is the co-founder and CEO of Appknox, a mobile security suite that helps enterprises automate mobile security. Over the last decade, Harshit has worked with 500+ businesses ranging from top financial institutions to Fortune 100 companies, helping them enhance their security measures.
Beyond the tech world, Harshit loves adventure. When he's not busy making sure the digital realm is safe, he's out trekking and exploring new destinations.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now